|
http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=37 [º¹»ç]
ÀúÈñ Áý¿¡ ÀÖ´Â ¼¹öÀε¥ °¡²û ¿¹»óÄ¡ ¸øÇÑ ÀÌÀ¯·Î »¸°ï ÇÕ´Ï´Ù ¤Ð.¤Ð
¸¶Áö¸·¿¡ ÀÛ¾÷ ÁßÀÌ´ø ÆÄÆ®1À» º¹»çÇؼ ¿Ã¸³´Ï´Ù.
Now, um.. For the past couple of years have been doing a code review for a lot of large code bases.
Áö³ ¸î ³â µ¿¾È ¹æ´ëÇÑ ¾çÀÇ ÄÚµåµé¿¡ ´ëÇÑ ÄÚµå ¸®ºä¸¦ ÇØ¿Ô½À´Ï´Ù.
And initially when I started uh.. doing code review
±×¸®°í Á¦°¡ óÀ½À¸·Î ÄÚµå ¸®ºä¸¦ Çϱ⠽ÃÀÛÇßÀ» ¶§
it was pretty difficult trying to figure out everything like I had 60,000 ~ 70,000 lines of code.
6¸¸~7¸¸ ÁÙÀÇ Äڵ带 ¸ðµÎ ºÐ¼®ÇÏ´Â °ÍÀÌ ²Ï³ª Èûµé¾ú½À´Ï´Ù.
I had to review that code, trying find defects and it's really difficult for any one person or single team to go
Àü ±× 6¸¸ÁÙÂ¥¸® Äڵ忡 ´ëÇÑ ¸®ºä¸¦ ÇؾßÇß°í, ÄÚµå ³»¿¡¼ °áÇÔÀ» ãÀ¸·Á°í ÇßÀ¸³ª.. ±×°ÍÀº ÇÑ »ç¶÷À̳ª ÆÀ¿¡°Ô ¸Å¿ì ¾î·Á¿î ÀÏÀ̾ú½À´Ï´Ù.
and review code without communicating and following through every sizngle step.
±×¸®°í ¼·Î°£ÀÇ ´ëÈ¿Í °øÀ¯ ¾øÀÌ ÄÚµå ÇÑÁÙ ÇÑÁÙÀ» µû¶ó´Ù´Ï¸ç ºÐ¼®À» Çß¾ú½À´Ï´Ù.
So, *** pass two years are so it ah... with help of few friends of mine with a my ex-company that I used to work for became up with some part of methodology.
2³âÀÌ Áö³ª°í.. ¿¹Àü¿¡ ÀÏÇß´ø ȸ»ç¿¡¼ ¸¸³ ¸î¸î Ä£±¸µéÀÇ µµ¿òÀ» ¹Þ¾Æ ¸î °¡Áö ¹æ¹ýµéÀ» ã¾Æ ³ª¼¹½À´Ï´Ù.
Later on... last year, I think a microsoft started pushing threat analysis quite a bit,
±× ÀÌÈÄ.. ÀÛ³â, Àü MS°¡ À§Çù ºÐ¼®¿¡ ´ëÇØ ²Ï ¸¹Àº Áö¿øÀ» ½ÃÀÛÇß´Ù°í »ý°¢ÇÕ´Ï´Ù.
I look into that and liked their ideas as well,
Àú´Â MSÀÇ ¹æ¹ý¿¡ ´ëÇØ Á¶»ç¸¦ Çß°í, ¾ÆÀ̵ð¾î°¡ ±¦Âú´Ù°í »ý°¢Çß½À´Ï´Ù.
so I try come up with a some more different techniques of reviewing large source code bases.
±×¸®°í Àú´Â ´ë·®ÀÇ ¼Ò½ºÄڵ带 ¸®ºäÇÒ ¼ö ÀÖ´Â Àú¸¸ÀÇ ´Ù¸¥ Å×Å©´ÐÀ» ¿¬±¸Çϱ⠽ÃÀÛÇß½À´Ï´Ù.
And today I'm going to try focus this stock on that particular topic.
±×¸®°í Àú´Â ¿À´Ã ÀÌ ÁÖÁ¦¿¡ ´ë¿¡ ÃÊÁ¡À» ¸ÂÃß·Á ÇÕ´Ï´Ù.
Basically, how do go about reviewing large code basis doing source code review and doing focus source code review to get most effective result.
±âº»ÀûÀ¸·Î, ¹æ´ëÇÑ ¾çÀÇ ¼Ò½º Äڵ带 ±âÁØÀ¸·Î ºÐ¼®À» ÇÒ ¶§, Á¶±Ý ´õ È¿À²ÀûÀÎ °á°ú¸¦ ¾ò±âÀ§ÇØ ¾î¶»°Ô ÁýÁßÇÏ¸é µÉ±î¿ä?
um.. Defense in depth today
¿À´Ã³¯ÀÇ Ã¶ÀúÇÑ ¹æ¾î(º¸¾È)
We have firewalls, this is a big picture i guess,
¿ì¸®´Â ¹æȺ®À» »ç¿ëÇÏ°í, »çÁøÀÌ ³Ê¹« Å©³×¿ä,
we have Firewalls, we have our DMZ, Host Assessment
¿ì¸®´Â ¹æȺ®À» »ç¿ëÇÏ°í, DMZ¿Í Host Assesmentµµ »ç¿ëÇÕ´Ï´Ù.
We have difficult Hardened Builds, Vulnerability Scanning but now this Code Review is becoming more and more popular
¿ì¸®´Â ÁÁÀº Ãë¾àÁ¡ ½ºÄ³³Ê¸¦ °¡Áö°í ÀÖÁö¸¸, ¿äÁò¿£ ¼Ò½º ÄÚµå ¸®ºä°¡ Á¡Á¡ ´õ °¢±¤À» ¹Þ°í ÀÖ½À´Ï´Ù.
a lot of company want you to not just come and do web pentest it
Å« ȸ»çµéÀº ´ç½ÅÀÌ ±×³É ¿Í¼ À¥ÇØÅ·¸¸ ÁÖ±¸Àåâ ÇÏ´Ù °¡±â¸¦ ¿øÇÏÁö ¾Ê½À´Ï´Ù.
there product company not just do black box testing but also look at code review.
±× ȸ»çµéÀº ºí·¢ ¹Ú½º Å×½ºÆðú ÄÚµå ¸®ºä±îÁö ÀüºÎ ´Ù ÇØÁֱ⸦ ¿øÇÕ´Ï´Ù.
and.. How do we go about doing that code review?
±×·¸´Ù¸é.. ÄÚµå °ËÅä´Â ¾î¶»°Ô ÇؾßÇÒ±î¿ä?
So this is the six points methodology
¿©±â¿¡ ³ª¿ÇÑ °ÍÀÌ, ÄÚµå °ËÅä ¹æ¹ýÀÇ 6°¡Áö ¹æ¹ý·ÐÀÔ´Ï´Ù.
Start with Threat Model we'll talk about Threat Modeling
À§Çù ¸ðµ¨ºÎÅÍ ¾ê±âÇÏ°Ú½À´Ï´Ù. À§Çù ¸ðµ¨¸µÀ» ¸»ÇÏ´Â °ÍÀÔ´Ï´Ù.
basically uh.. trying to get data flood diagram of the entire application,
±âº»ÀûÀ¸·Î´Â Àüü ÇÁ·Î±×·¥ÀÇ ´ÙÀ̾î±×·¥À» ¾ò¾î³»´Â °úÁ¤À» ¸»ÇÕ´Ï´Ù.
and trying to figure out all the major entry points,
±×¸®°í ¸ðµç entry point, Áï ÁøÀÔÁ¡µéÀ» ºÐ¼®ÇÕ´Ï´Ù.
application are all the major warns for someone's going to access something, and *****
ÇÁ·Î±×·¥Àº ´©±º°¡°¡ ¾îµò°¡¿¡ Á¢±ÙÇÏ°íÀÚÇÒ ¶§ Áß¿äÇÑ °æ°í¸¦ ÇÕ´Ï´Ù.
trying to see if there are vulnerabilities are that could be threat at a particularly point
ƯÁ¤ »óȲ¿¡¼ À§ÇùÀÌ µÉ ¼ö ÀÖÀ»¸¸ÇÑ Ãë¾àÁ¡ÀÌ ÀÖ´ÂÁö ã¾Æº¼ ¼ö ÀÖ½À´Ï´Ù.
like for web application, if like google the biggest threat point might be at the search, the search field itself
¿¹¸¦µé¾î À¥ applicationÀÇ °æ¿ì, À̸¦Å×¸é ±¸±ÛÀÇ °æ¿ì¿¡ °¡Àå Å« thread point´Â °Ë»ö ÇÊµå ±× ÀÚü°¡ µÉ ¼ö ÀÖ½À´Ï´Ù.
if there hardened *** put their set the filter properly there would be no problems.
¸¸¾à »ç¿ëÀÚ ÀԷ¿¡ ´ëÇÑ ÇÊÅ͸µ¸¦ ¿Ã¹Ù¸£°Ô ³Ö¾ú´Ù¸é À̺κп¡´Â ¹®Á¦°¡ ¾øÀ» °ÍÀÔ´Ï´Ù.
are something among those lines, so we will talk about every single major entry point
what are the different techniques we can go about doing that.
¿ì¸®ÀÇ ¹æ½Ä¿¡ ¾î¶² Â÷ÀÌ°¡ ÀÖ´ÂÁöµµ ¼³¸íÇÏ°Ú½À´Ï´Ù.
The second step typically is do Cursory Code Review.
µÎ¹ø° ´Ü°è *** °£´ÜÇÑ ÄÚµå °ËÅä
The reason for that is that every single person in world in doing a code review
should understand how the entire application is written
have common (please) where you have (all your variable) (store) have common please where you have all your common note (store) so that when initially you're
reviewing it you are understanding the (mind set of) programmer.
The goal is to think like wonder programer was trying to do all there.
You not going to go to depth you just see what exactly happening from variables' point of view **.
Then you going to separation of code will talk about couple of (meter) (there's) stander (meter) that microsoft come up with and then
there's (meter) ¿¥Ç÷ÎÆ÷¿ì¡ application architecture trying to be a value Åõµé *** (difference) seperations how do you give value to
it how do you figure out what exactly would give you more benefit to focus your (dying) to was.
Then we will talk about maintaining code notes with reviewer name.
This is very important simply because reviewer A might be reviewing a bunch of code and he will understand it he puts notes down
reviewer B is could also accessing the same function he doesn't have to *** spend time trying to understand function call again.
so It is good idea to have reviewer note and reviewer names also little (they) what we (end up) doing giving customers just graph for that
particular name and *** you don't have to maintain multiple notes ***
|
Hit : 1572 Date : 2011/05/16 10:43
|
97, 
3/4 
¸Û¸Û
